Up Your Password Game

It doesn’t take many years in this increasingly connected world to rack up dozens of accounts for online shopping, work, banking, video/music streaming and etc. This is the Internet age, and the need for a large number of user accounts is just an annoying fact of life. How does anyone even manage the passwords for all these accounts? Do you have a few passwords you reuse for all your accounts? Do you use simple passwords that are easy to remember, like Matt9900 or kitten38? If you answered yes to either of those questions, then I have a New Year’s Resolution that will make your life easier and more secure.

What You Should Do

Everyone that does not already use a Secure Password Manager should make a New Year’s resolution to start. No, I’m not talking about a Word or Excel file you keep on your desktop called “Passwords”, or a sticky note on the bottom of the keyboard. What I am talking about is a software/service like Lastpass.com,Roboform.com or Keepass.info that helps you generate and manage strong passwords. Password managers work by using a single strong password/passphrase to protect all your passwords and provide features that help with the generation and management of passwords for all your accounts. Most password managers will even auto-magically fill in your login information on websites with the click of a button.

To get more information on two solid secure cloud based and inexpensive password managers take a look at http://www.roboform.com/how-it-works and https://lastpass.com/how-it-works/. At most you are currently talking around $10/year and there are free accounts with less features. Sign up, start using one today, but remember to use a strong password like “##IHadChipotleW/ThePurplePeopleEater7788” as your master password. A good non-cloud based password manager is Keepass, which is open source (free) and available on pretty much every platform. For most people a cloud based option is the better choice because you don’t need to figure out a way to back it up and sync across multiple devices. I use a cloud based password manager and also Keepass.

One of the many benefits a password manager provides is not constantly having to reset passwords for accounts because you can’t remember them. In addition to this, you don’t have to worry when there is another big data breach that now someone has the single password you use across all your important accounts. Let’s talk about passwords and why it is important to use strong ones.

Why it is Important to Use Strong and Unique Passwords

To understand why strong and unique passwords are important, you need to know the basics of how passwords work and how to crack them. When you create an account with a website and give it a password of pass1234 (Not a good password at all!) the website can store it in a number of ways. The worst way would be to take the password and just store it as is. If a password is stored without being obscured it is called cleartext. Anyone with access to the website’s cleartext password database, which may be bad guys, can see everyone’s passwords. Surprisingly, there are sites that still store passwords in cleartext, which is one reason you can’t just use one password across all your accounts, even if it is a good strong passphrase like $$IHadChipotleW/ThePurplePeopleEater7788. Passphrases are a great way to generate a strong master password for a password manager that are easy to remember. Just make sure to use uncommon phrases and add capitalization, and numbers/symbols.

A better way for a website to store user passwords is to take the password and run it through something called a one-way hashing function, which obscures the password and outputs it in a fixed length. They call it a one-way hash because it is easy to put something through it one direction, but essentially impossible to go back through the other way. Like putting meat through a grinder to make hamburger. An example of this would be the password pass1234 run through the SHA1 hashing algorithm, which results in the hashed value 789b49606c321c8cf228d17942608eff0ccc4171. When logging into a site it takes the password you enter and runs it through the one-way hash. If the output matches the hash stored when you set your password, you are allowed to log in. This is good, but hash analysis can be used to easily figure out simple passwords.

Cracking a password is essentially the process of guessing passwords until you get the correct one. Most sites, work computers and etc. will stop you from guessing passwords after a couple attempts. If someone steals the password database all bets are off. The attacker now has access to the hashes and can guess as much as they want. One way this works is by creating, or using an existing table that contains common passwords and the resulting hash value. This is then compared to the hash value of the unknown password. If you get access to a password database and it has a password with the hash 12uiy, you can compare it to your hash table and look for a match. Ex. hash table: apple = a8990, bravo = 12uiy, orange = 90adf and pear = 0123e in this case you search your table of known hashes and find 12uiy is in your table and matches the word bravo. That means the password is bravo. It takes time to generate hash tables, so the longer, more unique and complicated, the harder it is to use hash comparison to find someones password from the hash. This is why using a strong password is important. Every password can eventually be cracked, but the harder it is, the longer it takes. So while pass1234 may take seconds or minutes to crack, ILoveWalrusAndMuffinsOn9900$$ Will take much longer.

Comparison of hashes is made even harder when organizations do something called salting passwords, which is taking the password you enter and adding something additional to it before hashing. Using this method makes it harder for an attacker because a new hash table needs to be created for every user at a specific site, if done right. This takes a lot of extra time, so it is easier for attackers to focus on simple and common passwords in those situations. Bcrypt is another way to make passwords harder to crack, which is even better than salting alone. Just remember a lot of people don’t properly store user passwords, so advanced password storage features are something that can’t be counted on.

Conclusion

In conclusion, I am saying to simply stop using the same couple passwords on all your accounts and accomplish this by using a password manager.